Security is a concern for every website owner. It has two sides: prevention and detection. You need to keep your site as safe as possible by keeping it up to date, using strong passwords, and installing only trustworthy software. Unfortunately, no protection is 100% effective, so you need to check your site regularly for signs of infection. Without monitoring, malware can stay on your Web server for months, smuggling sensitive data out. The results can be very expensive.

WordPress is the most popular software in the world for running websites. Its maintainers take security seriously, but it’s an attractive target because of the volume of sites. Plugins and themes can have weaknesses. Zero-day vulnerabilities let attackers install malware on sites that use a plugin before any protection is available. Every WordPress site needs in-depth defense against targeted attacks.

Several services specialize in monitoring WordPress sites for security problems. They look specifically for issues that are known to occur with WordPress and its associated themes and plugins. If something looks wrong, they’ll notify you or your security service provider. You’ll be able to eliminate the problem, often before it can do serious damage.

Google and other search engines maintain blacklists of sites that appear infected. The sites will vanish from search results, and browsers will present scary warnings to users visiting those sites. The best security scanning services check a site’s blacklist status, so you can start fixing the problem before you lose days of business.

Most WordPress monitoring services don’t do security monitoring but just check if the site is up and running. We’re talking here about services that examine incoming and outgoing traffic, looking for anything abnormal and suspicious. They vary in cost and effectiveness. The free ones are useful mostly as one-time checks; serious protection costs money. Some of the things to consider in a monitoring service are:

  • How often it runs checks. Some site owners consider once a day acceptable, while others need more frequent scans.
  • How thorough it is. Each service has different techniques and algorithms.
  • How often it reports false positives. A service that reports non-problems too often causes administrator fatigue and slower responses to real issues.
  • Whether it’s internal (running in part on your network) or external. Each mode has its own advantages. Internal checks are more thorough, while external ones are easier to set up and can’t be disabled by malware.
  • Whether it checks only for vulnerabilities or for active threats. Vulnerability scanning is useful, but it’s not the same as determining whether malware is present.
  • Whether it comes with a remediation service, and whether it’s included in the price or extra. It’s important to understand what you’re paying for.

The following are a few of the most popular services.

Quttera

The ThreatSign service from Quttera includes monitoring, malware removal, and a Web application firewall (WAF). Internal and external monitoring are available. It includes WordPress-specific support, Several plans are available, with different scan intervals and promised response times. It uses its own scanning technology based on regularly updated threat intelligence.

The Quttera WordPress Malware Scanner plugin, which is a free download, checks a site for malware and suspicious code, using Quttera’s servers. It can run one scan in 24 hours. It will check if a site is on any major blacklists.

WP Full Care

The services offered by WP Full Care include site scanning and malware removal. As the name suggests, the company specializes in WordPress sites. The scans are part of a service package that includes offsite backup, software updates, and a website firewall. Scanning isn’t available as a separate service.

Three plans are available, with different levels of support and backup retention. The setup process is more complicated than for a monitoring-only service and may take a couple of days.

Smart WP Fix

You can get security monitoring from Smart WP Fix, with or without the “protect, clean, and fix” service. If you choose just monitoring, the company can provide remediation as a separately billed service. The monitoring service checks your site once a day.

The service is for WordPress sites only. It does real-time inspection of each transaction, using proprietary algorithms. Monitoring is internal, supported by a plugin that has to be installed.

GeekFlare

The GeekFlare security scan is a free service which you launch manually from its website. It checks WordPress sites externally for known vulnerabilities, rather than for active threats. In other words, it reports on how well-protected the site is rather than whether it currently has malware.

It examines the WordPress core version, blacklist status, use of HTTPS, themes, plugins, and admin console protection. These are all basic considerations which any site owner should take care of. GeekFlare is useful as a one-time check but isn’t intended for ongoing protection.

Sucuri

Although Sucuri provides a general-purpose scanning service that isn’t limited to any one platform, it’s backed by strong WordPress expertise. It offers three tiers of protection, different by scan frequency and services. The Business level includes malware removal within 6 hours.

Features include internal scanning, uptime monitoring, blacklist checking, file malware inspection, and monitoring for changes in the SSL certificate or DNS records. A free one-time check is available. A free WordPress plugin will run scheduled scans for malicious code and core file integrity issues.

General considerations

If you want ongoing, thorough scanning, you have to pay for it. The free tools provide limited one-time checks, but they won’t give your site day-to-day protection. The paid services monitor your site regularly and update their analysis based on the latest threat intelligence. Most of them offer multiple tiers; the higher levels offer more frequent scans and better turnaround on remediation.

Having your WordPress website regularly monitored at any level is a lot better than not doing it at all. It will catch suspicious activity that you might otherwise not notice. If your site has gotten onto blacklists, it will let you know so you can figure out how to get back into good standing. With regular security monitoring, you can be more confident that your site is free from malware and its data is safe.

When we create a website for you, we’ll help you to choose the best ways to protect it. Contact us to get started.